From IndieWeb

WebAuthN as 1FA or 2FA was a session at IndieWebCamp Berlin 2018.

Notes archived from:https://etherpad.indieweb.org/webauthn

IndieWebCamp Berlin 2018
Session: WebAuthN as 1FA or 2FA
When: 2018-11-03 13:15



  • Joel would like to be able to get rid of passwords; using webauthn as a single factor autentication (1FA).
    • Was pointed at selfauth and its JS fork
    • Wants to get WebAuthn in there
  • Joel would also like to use webauthn as the simplest way (if you already have a token) to "register" on a website.
    • Just click the button (on the physical token) at the login prompt.
    • Identifying as a returning is the same procedure.
    • Might need to keep backup authentication methods (additional physical tokens? indieauth? email single-use tokens?) per user, in case the physical token is lost.
  • Adding webauthn to indieauth.com might not be a good approach, due to @aaronpk changing project direction.
    • Is still open source and self-hostable.

  • Soft tokens VS hardware tokens
    • Soft tokens would interface with the same standard, but from computer software rather than USB (or other hardware stacks)
    • Can be a bridge between the browser and any (?) other means of authentication.
    • Would most likely require the browser to know about the new method, which might not be possible without recompilation (?) or perhaps very low-level plugins.
  • It is good to see WebAuthn standard, but who will start using it?
    • Google is using it a lot internally
    • How can we get more CMS systems to support these systems?
      • Plugins to modify or replace login screens?

See Also